Why Healthcare Organizations Should Be Worried about the Community Health Systems Cyberattack

Larry Alton

In an era when hospitals, physician offices, insurance companies, and patients are thoroughly entrenched in digital records, we're quickly reminded of the risks when cyberattacks threaten our private medical data. The world received one of these serious reminders on August 18, when Community Health Systems (CHS) announced that data on 4.5 million patients had been compromised. According to the report filed with the U.S. Securities and Exchange Commission (SEC), the hospital operator company believes that these cyberattacks took place in April and June 2014. HIPAA and Compromised Data Unfortunately, much of the data stolen from CHS falls under HIPAA privacy rules that are meant to secure individually identifiable information regarding patients. While billing and payment information wasn't breached, CHS believes that patient social security numbers, phone numbers, addresses, names, and birthdates were exposed during the cyberattack. This can be a nightmare for healthcare organizations that can lead to extensive financial loss and reputation damage. HIPAA breaches can open an organization up to patient litigation. Attacks from Overseas The SEC report reveals that CHS consulted Mandiant, a cybersecurity firm, to trace the origin of these security breaches. The companies report that the cyber criminals were based in China and hit CHS system with malware to obtain patient data. Healthcare organizations and information management teams should continually be aware of the potential for data breaches, since these industries often store data that can lead to significant financial benefit. Patient data, industry developments, trade secrets, and billing information are often prime targets for hackers seeking to sell information. Patient Protection After a data breach of this magnitude, healthcare organizations need to have a plan of action to minimize further damage. Additionally, these businesses should be insured for event like cyberattacks, so that they have funds to address increased security measures. CHS claims in the SEC report that it will be "providing appropriate notification to affected patients and regulatory agencies as required by federal and state law" and plans to take steps to protect patients from identity theft. Patients can also examine the CHS locations map to see if they've used the services at one of the 206 hospitals that this company operates. Violations of Trust As of this week, it's difficult to see how preventable the CHS cybersecurity attack was. However, this incident comes as a stark reminder that hospitals, doctors' offices, and insurers should continually prioritize patient confidentiality and record safety. While the digitization of records has contributed significantly to a rise in healthcare productivity, these files also come with a higher risk of theft. Due to the sensitive nature of patient records, healthcare organizations that are successfully hit by hackers can also suffer from damaged public reputations. Aside from the SEC report, CHS has not issued any additional information regarding their response in the wake of this cyberattack. Healthcare organizations should periodically address their current data security strategies, to ensure that they can appropriately address current threats. Hopefully, the CHS data breach will prompt other organizations to review their patient information security processes.